Russia-Linked Hackers Leak Football Doping Files

A group of hackers believed to be operating out of Russia has leaked emails and medical records related to football (soccer) players who used illegal substances.

The group calls itself Fancy Bears and claims to be associated with the Anonymous hacktivist movement. They have set up a website, fancybears.net, where they leaked numerous files as part of a campaign dubbed “OpOlympics.”

“Today Fancy Bears’ hack team is publishing the material leaked from various sources related to football,” the hackers said. “Football players and officials unanimously affirm that this kind of sport is free of doping. Our team perceived these numerous claims as a challenge and now we will prove they are lying.”

The leaked files include emails exchanged between the Fédération Internationale de Football Association (FIFA) and representatives of anti-doping agencies discussing the test results of various football players. The files also provide information on the number of players using illegal substances -- without specifically naming any players -- and therapeutic use exemptions (TUEs), which allow athletes to take prohibited substances for medical reasons.

The files contain information on several important players allowed to use TUEs at the 2010 World Cup, including Mario Gomez, Carlos Tevez, Juan Sebastian Veron, Dirk Kuyt and Ryan Nelsen. However, the emails dumped by the hackers are dated as recent as June 2017.

The hackers said they leaked the files to show that more than 150 players were caught doping in 2015, and the number increased to 200 in 2016.

Both the Football Association and FIFA condemned the leak of confidential medical information.

The same hacker group previously targeted the International Association of Athletics Federations (IAAF) and the World Anti-Doping Agency (WADA). The hackers now also described the files as “WADA documents” and some of them appear to originate from the Anti-Doping Administration and Management System (ADAMS). SecurityWeek has reached out to WADA for comment.

While the Fancy Bears that took credit for these attacks claim to be hacktivists, researchers have linked the previous leaks to Fancy Bear, a notorious cyber espionage group believed to be sponsored by the Russian government. The threat actor is tracked by various security firms as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium.

The first Fancy Bear leak came shortly after investigations exposed state-sponsored doping in Russia. The latest release may have been triggered by similar events.

“Previous Fancy Bear dumps were almost always retaliatory and in response to sanctions from various international sports organizations. When the Russian athletic team was banned from participating in World Athletics Championships in London, embarrassing IAAF doping reports about major Western athletes were made public,” explained Recorded Future’s Insikt Group.

“As international pressure on Russia intensifies, with open calls to strip Russia of World Cup in 2018 and recent the FIFA investigation into suspected prohibited substance abuse of the national soccer team, today's release was almost guaranteed to surface,” it added. “The message reads very clear and loud - ‘Dare to touch us, we'll come after you. Don't expect us to remain silent and maintain status quo’.”

UPDATE. WADA told SecurityWeek that the leaked files do not originate from its ADAMS system. The organization has provided the following statement:

The World Anti-Doping Agency (WADA) is aware that, today, cyber espionage group ‘Fancy Bear’ once again released information; in particular, confidential athlete data regarding Therapeutic Use Exemptions (TUEs) on its website.

As WADA takes data privacy very seriously, the Agency immediately examined the information; and, was quickly able to determine that it is not housed in WADA’s Anti-Doping Administration & Management System (ADAMS).

Stakeholders can rest assured that ADAMS remains secure.

We take this opportunity to reiterate that the TUE process is a means by which an athlete can obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition. The TUE program is a rigorous and necessary part of elite sport, which has overwhelming acceptance from athletes, physicians and all anti-doping stakeholders worldwide.

This criminal activity undertaken by the cyber espionage group, which seeks to undermine the TUE program and the work of WADA and its partners in the protection of clean sport, is a clear violation of athletes’ rights.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.